The 10 worst data breaches in history

Check Point

Total cost: $10 billion

NotPetya emerged in June 2017, disguised as ransomware but functioning as a data-wiping attack. It spread via a malicious update from M.E.Doc, Ukraine’s widely used tax software. The malware exploited EternalBlue, a leaked NSA tool that allowed remote code execution through Windows SMBv1 and Mimikatz, which extracts credentials from system memory. Logistics company Maersk had to rebuild 4,000 servers and 45,000 PCs globally within days after its network was wiped. Most infections occurred in Ukraine, shutting down critical infrastructure including banks, transport, and the Chernobyl monitoring system. The U.S. and U.K. governments attributed the attack to Russia’s GRU military intelligence agency.

TJX

Total cost: $4.5 billion

In 2007, hackers infiltrated TJX’s systems by exploiting weak WEP encryption on an in-store wireless network at Marshalls in Florida. Over 45.6 million credit and debit card numbers were stolen over an 18-month period, making it the largest retail data breach at the time. Attackers installed sniffers to intercept unencrypted transaction data and login credentials. Investigators later found TJX had retained prohibited Track 2 card data and violated multiple PCI DSS controls, prompting industry-wide reforms in merchant data security.

Epsilon

Total cost: $4 billion

In March 2011, Epsilon, one of the world’s largest email marketing firms, suffered a breach after attackers gained unauthorized access to its email system. The hackers stole names and email addresses from clients, including JPMorgan Chase, Best Buy, and Walgreens, affecting an estimated 60 million users. While no financial data was exposed, the stolen information fueled widespread phishing campaigns. The breach highlighted the risks of centralized marketing platforms and led companies to reevaluate third-party data sharing. Epsilon’s staggered client notifications also raised concerns about breach response coordination and transparency.

Equifax

Total cost: At least $1.4 billion in 2017

Attackers exploited CVE-2017-5638, a known vulnerability in the Apache Struts web framework that Equifax had failed to patch for over two months in 2017 after a fix was released. This allowed unauthorized access to sensitive data on 147 million Americans, including names, birth dates, Social Security numbers, and driver’s license details. The breach went undetected for 76 days due to an expired SSL certificate that disabled internal traffic monitoring. Investigators later found Equifax lacked proper asset inventory and patch management, contributing to the scale of the compromise.

Dima Solomin | Unsplash

Total cost: $725 million

It was revealed in 2018 that Cambridge Analytica had harvested data from approximately 87 million Facebook users through a quiz app called This Is Your Digital Life, which collected not only user data but also data from their Facebook friends due to Facebook's API permissions. The data was used to build psychographic profiles for targeted political advertising, including during the 2016 U.S. presidential election. The breach violated Facebook’s 2012 FTC consent order, later leading to a $5 billion fine and sweeping privacy reforms. Facebook later restricted third-party data access and overhauled its privacy infrastructure.

U.S. Department of Veterans Affairs

Total cost: $500 million

In May 2006, a VA data analyst took home a laptop and external hard drive containing unencrypted personal data on 26.5 million veterans, including names, birth dates, Social Security numbers, and disability ratings. The devices were stolen during a burglary, and the VA waited 19 days to notify the affected veterans. The breach exposed serious lapses in internal security and oversight, prompting congressional hearings and a government-wide push for encryption and breach notification policies. The stolen equipment was later recovered and forensic analysis found no evidence of data access.

Target

Total cost: $292 million

In late 2013, attackers infiltrated Target’s network using stolen credentials from its HVAC vendor, Fazio Mechanical Services. Once inside, they moved laterally and installed malware on point-of-sale systems, capturing 40 million payment card records and 70 million customer profiles during the holiday season. The malware scraped card data from system memory during live transactions. Target’s failure to segment its network allowed attackers to access sensitive systems from a vendor portal. The breach led to major reforms in third-party risk management and accelerated the adoption of chip-and-PIN card technology across U.S. retailers.

WRBC Inc.

Total cost: $252 million

Between December 7, 2007 and March 10, 2008, malware installed on servers at nearly 300 Hannaford Bros. stores intercepted credit and debit card data during checkout, exposing 4.2 million card numbers. The malicious software captured data in transit while cards were being authorized rather than from stored databases, marking one of the first large-scale breaches of live transaction data. At least 1,800 cases of fraud were linked to the breach. Hannaford was PCI-compliant at the time, raising concerns about the adequacy of existing security standards and prompting calls for stronger encryption of in-flight payment data.

Sony Interactive Entertainment

Total cost: $171 million

Sony’s PlayStation Network suffered a breach that exposed personal data from 77 million user accounts, including names, email addresses, birthdates, and login credentials. Sony confirmed that credit card data was encrypted, but admitted it could not rule out the possibility of theft. The outage started on April 20, 2011 and lasted 23 days, making it one of the longest in gaming history. Sony faced criticism for delaying user notification and later offered free games and identity theft protection. The breach prompted major upgrades to Sony’s network security and incident response protocols.

Yahoo Inc.

Total cost: $152.5 million

In late 2014, Yahoo suffered a breach that exposed personal data from 500 million user accounts, including names, email addresses, birthdates, phone numbers, and hashed passwords. Yahoo attributed the attack to a state-sponsored actor, though the particular nation was never confirmed. The breach wasn’t disclosed until September 2016, prompting criticism over Yahoo’s delayed response. Although most passwords were encrypted using bcrypt, some accounts included unencrypted security questions and answers. The incident impacted Yahoo’s acquisition by Verizon and led to regulatory scrutiny and multiple lawsuits.